AI in Cybersecurity: How it can be tricked

Using AI to provide cybersecurity solutions has received a lot of press in the past two years. The reality is that most “AI cybersecurity” products use Machine Learning (ML) techniques, which is just one subset of a broader range of techniques associated with deep AI.

ML techniques are being used in several cybersecurity domains including:

  • spam filtering
  • intrusion detection and prevention
  • botnet detection
  • reputation rating
  • fraud detection

To a much lesser extent some services are using ML to provide incident forecasting to help answer questions like: Is there observable behavior on the Internet which can be used to measure the likelihood that a particular organization is going to be attacked and the nature of the attack?

ML uses mathematical and statistical functions to extract information from data, and with that information ML tries to guess the unknown. ML uses various algorithms such as Naive Bayes, Random Forest, Decision Tree, and Deep Learning to analyze the data.

In order to increase the success of ML, lots of training data is generally used. Vendors of ML Cybersecurity products typically constantly gather data from their customers as well as using data generated by researchers.

Typically a form of supervised ML is used, in which a data set with metadata about what are valid behaviors versus what are malicious behaviors are used to teach a ML tool to make accurate predictions about related new data. For example, if the data set included 10 million email messages, including their full internet headers, along with metadata indicating which emails are harmless and which are malicious, the resulting tool may be able to determine if a newly encountered email message is harmless or malicious.

There are at least three ways in which cybercriminals might defeat ML cybersecurity:

  1.       Pollute the data set to cause ML tool to have a low rate of success or accuracy
  2.       Identify bias within the data used for training and design the attack to exploit the bias
  3.       Identify bias within the algorithm used to analyze the data and design an attack to exploit the bias

To provide a simple example, data might indicate that email purporting to be from a Nigerian prince, using incorrect English grammar, is spam. As result the attackers might decide to make the email appear to be from an established insurance company, using phrasing that has appeared in legitimate email from the real insurance company. This might be a way to exploit the training data bias. In theory, larger data sets from a wide variety of sources should lower the bias, but this is not always true.

Some products use a variety of algorithms and training data sets to provide a higher level of confidence that a single bias or single set of compromised data won’t compromise the overall integrity of the product.

DNS: Don’t ignore the risk to your company

by Sam Greengard, writer, Security Roundtable, February 19, 2019

It’s 5:30pm and you’re still at work going through the last batch of emails. You’re feeling a bit overwhelmed after a long day—you want to get home to dinner—when you see an e-mail from a co-worker that looks important. It has your name in it, the graphics look authentic and the wording sounds legit. You click a link to view a document but immediately notice something is amiss. Instead of going to mnocorp.com, you’ve arrived at mmocorp.com. And just like that, you have encountered a DNS exploit.

You’ve been tricked into clicking a link to a site that is now downloading malware onto your computer and into the company’s network. This could result in anything from a data breach to ransomware that spreads across your entire organization. “It’s a tactic that is incredibly easy to fall prey to and the results can be devastating,” says Rick Howard, chief security officer at Palo Alto Networks. 

The term DNS stands for Domain Name System. It’s the underlying address framework that directs traffic across the Internet and delivers users to websites. It transforms obscure codes and symbols—the actual numerical IP address—into an address with a name. 

However, savvy hackers and attackers exploit vulnerabilities in the DNS framework to shut down systems, inject malware and perform other exploits. These methods continue to advance and affect mobile systems as well as conventional web browsers.

DNS attacks can be tricky  

DNS attacks come in a few variations. A common method—a link in an e-mail that has been set up as a phishing or spear-phishing attack—relies on a slightly misspelled name or other visual deception to steer a user to a website that inserts malware into a computer. 

Other DNS exploits rely on human error. “An attacker will often create websites that have very similar DNS names to a legitimate site and then rely on people making a typo when entering a URL into the browser,” says Paul Hill, a senior consultant at SystemExperts, an independent security consulting firm. Some refer to this method as “typosquatting.”

Cyberthieves also trick DNS registrars into changing records to redirect traffic to an IP address they control. Although many of these domains become known quickly—and are either shut down or blacklisted—some manage to get through. “This may result in users accessing a ‘trusted site’ that is under control of an untrusted party,” Hill points out. 

In addition, Howard says that activists and hacktivists launch attacks on sites and attempt to take them down by flooding them with illegitimate traffic. Nation states might also enter the picture. This type of DNS amplification attack strengthens the force of a distributed denial of service (DDoS) attack.  

Addressing DNS security risk

Regardless of the specific approach in DNS attacks, organizations can take basic steps to protect their assets. First, it’s critical to use a DNS cybersecurity solution that addresses known offenders and blacklists them. This is a highly effective way to block phishing and spear-phishing attacks. 

Hill says that organizations can also benefit by creating secure connections. Traditional DNS queries and responses travel over unencrypted connections. This makes it easier to eavesdrop and spoof. By encrypting traffic through a method called Transport Layer Security (TLS) and using certificates, it’s possible to diminish the odds that an attack will succeed.

Other methods can also aid in the battle against DNS attacks. One popular approach is to train employees to spot illicit sites by hovering their mouse over a URL and inspecting it. Some companies also use simulated phishing attacks to raise awareness. These exercises help people spot fake messages. In some cases, Howard says, they can reduce clicks on bad links by an order of magnitude. “But you still can’t prevent some people from clicking on bad links, which is why you need a multi-layered approach and the right DNS software,” he explains.

Additional steps include security tools that quarantine messages based on specific words or phrases, a greater use of encryption and endpoint security, and rethinking procedures—including authorizations. While these may not stop a DNS attack from taking place or a network from becoming infected by malware, it can aid in thwarting additional phishing and spear-phishing, and prevent specific transactions from taking place. Howard adds: “Blocking domain names that are known to be bad is the best protection of all. Hackers can’t break into a system when they are blocked.” 

When reputation is on the line

DNS attacks pose a serious threat to reputational risk. The European Union’s General Data Protection Regulation (GDPR) introduced stringent breach reporting requirements for organizations doing business in the European Union. Australia, as well as states such as California, are introducing new privacy regulations and reporting requirements. This adds potential visibility and regulatory scrutiny to a DNS attack. It exposes a company to investigations and penalties. 

What’s more, businesses are increasingly required to take into account state-of-the-art technology and use this as a standard when determining risk. This means they can be held accountable for failing to upgrade their defenses to meet the regulation. 

Then there are also responsibilities to shareholders. DNS attacks that lead to major damage can cost a company millions of dollars and put senior executives directly in the firing line. They may be held responsible for damages. The cost of fixing the problem is often compounded by lost sales and eroded trust for an e-commerce platform, if the site is down for any period of time. A 2017 study conducted by Ponemon Institute found that the average data breach now costs a company $3.9 million.

There are no quick fixes. Typosquatting and other techniques that exploit misspellings, typos and variations on actual top-level domains will continue to pose a threat. Although the problem would vanish overnight if every company registered domain names with an encrypted certificate, this isn’t going to happen. Consequently, it’s critical for your organization to include DNS attacks in its overall risk management strategy.

DNS attacks represent both a practical risk and a reputational risk. Executives can take aim at the problem through a coordinated approach that involves security tools, training and a governance framework that promotes trust. When executives address all three components, it’s possible to build a more coordinated and holistic defense.

Here are a few examples of how DNS attacks are engineered (fake URLs are frequently embedded in links that do not automatically display the actual address):

Misspellings

Google.com -> Goggle.com

Microsoft.com -> Microosoft.com

Apple.com  -> Aqqle.com

Domain confusion

www.bankoftheworld.com/newproduct  -> www.newproduct/bankoftheworld

www.airline/newflight.com  -> www.airlines/newflight.com

Country code and top-level domain abuse

www.rusticwinery.com  -> www.rusticwinery.co

www.securityaces.com  -> www.securityaces.cm

SystemExperts’ Jon Gossels Contributes to New Book, Supreme Leadership Habits

I’m so pleased to be one of the contributing thought leaders for Alinka Rutkowska recently published book –  Supreme Leadership Habits: Gain 850 Years of Wisdom from Successful Business Leaders. Alinka, an international best-selling author, interviewed 34 executives celebrating their 25th anniversary in 2018, and shares their secrets to growing profitable businesses. My contribution discusses the genuine respect we have here at SystemExperts for our customers and the culture that has allowed our company to continue to deliver outstanding services to our clients.

“We employ staff who know what they’re doing. Our methodologies are structured to build on the clients’ strengths and we model ourselves as an extension of their teams. It’s a collegial approach and never adversarial.  At our company we have a sincerity aspect that’s part of our culture. It’s not just me treating people right; it’s all of us treating our clients and vendors right. We are who we are; we don’t pretend to be what we’re not.”

Alinka continues to quote me discussing our corporate culture. “Corporate culture isn’t one person. It’s organic. It’s almost like an organism. It evolves; it changes, depending on the mix of people involved and what the stresses are on the outside environment. At our company we have a sincerity aspect that’s part of our culture. It’s not just me treating people right; it’s all of us treating our clients and vendors right. We are who we are; we don’t pretend to be what we’re not.

“Corporate cultures are complicated, and they reflect shared values. We feel we have a special culture. We do everything with integrity. We focus on quality and responsiveness for both our clients and our vendors. Key to our success is having an open mind and asking others to “tell us  what you think.”